Search This Blog

Wednesday, October 12

How to Import Certificate and Key into AIX ?


Tools required for importing certificates into the keystore
In order to perform the tasks in this scenario, the following tools are required:
  • A certificate management tool for generating the keypair and creating the certificate request (CSR). This can be any tool. OpenSSL is used in this scenario, it can be obtained at http://www.openssl.org.
  • A tool to import the certificate and the private key into the Tivoli Provisioning Manager keystore. Use the IBM® tool, KeyMan. It can be obtained at http://www.alphaworks.ibm.com/tech/keyman/download.
Complete the following steps to import a certificate from VeriSign into Tivoli Provisioning Manager:
  1. Creating the keypair.
  2. Creating a certificate request.
  3. Exporting the key entry.
  4. Obtaining the certificate authority certificate.
  5. Importing the key entry into the keystore.
  6. Importing the certificates into the keystore.
  7. Configuring WebSphere Application Server for SSL communication.
  8. Configuring device manager service properties.

    Creating the keypair
    The private key must be created before you can request the certificate from VeriSign. The private key decrypts the messages that are encrypted by the public key during the SSL handshake between the Tivoli Provisioning Manager server and the client.
    Keep the private key in a safe place. The SSL communication is compromised if the private key is known by someone else.
    Generate the private key using the following command:
    openssl genrsa -des3 1024>VeriSign.key
    The keypair is created in the VeriSign.key file.

    Creating a certificate request
    Create the certificate request using openSSL. Once the request is created, the certificate will be obtained from VeriSign.
    Note: The options in the commands may be different for your scenario. Consult the openssl documentation for more details.
    1. Run the following command to create a certificate request (CSR):
      openssl req -new -key ./VeriSign.key>VeriSign.csr
      The certificate request and the key pair is created.
    2. Open the file VeriSign.csr in a text editor. Use a text editor that does not add extra characters. Windows® Notepad or the Vi text editor is recommended.
    3. When prompted by the certificate request, paste the information into the VeriSign enrollment form.
    When the enrollment form is completed, VeriSign will email the certificate to you. The certificate will be sent in the base-64 encoded format.

    Exporting the key entry
    The certificate and the private key need to be exported so that they can be transported and imported into other keystores. Export the certificate and private key pair into PKCS#12 format. The exported key entry will be imported into the Tivoli Provisioning Manager keystore so that it can be used for SSL communication.
    Export the key entry with OpenSSL by running the following command:
    openssl pkcs12 -export -in cert.cer -inkey $PWD/VeriSign.key -name "Versign Cert" -out Vcert.p12
    The exported file is called Vcert.p12 and is in PKCS#12 format.

    Importing the key entry into the keystore
    Prerequisite: Create a backup copy of the Tivoli Provisioning Manager keystore, agentManagerKeys, before making any changes to the file.
    Use the IBM KeyMan tool to import the Vcert.p12 key entry into the Tivoli Provisioning Manager keystore. If you have not yet installed KeyMan, download and install the tool from this Web site: http://www.alphaworks.ibm.com/tech/keyman/download
    After the KeyMan is successfully installed, perform the following steps:
    1. Launch KeyMan and click Open.
    2. Select Local resource and then select Open a file.
    3. In the Open window, enter the location of the keystore.
    4. Leave the JCE provider field empty.
    5. If you are prompted for the password, enter the password of the keystore.
      Note: The keystore password is specified during the Tivoli Provisioning Manager installation.
    6. Select Trusted CA Certificates from the list. You should see the CA certificates from AgentManager.
    7. Select Private Certificates from the list. You should see the agentmanagerkey: Agent Manager certificate.
    8. To import the key entry that was previously exported, select File > Import.
    9. Select Local resource and then Open a file.
    10. Enter the Vcert.p12 file location and then the password. Click Next.
    11. Verify that the key entry was imported by selecting Private Certificates from the list. The VeriSign certificate will be listed. Click on the certificate to display the details.
      Note: The label, or alias, of the certificate is provided. This value will be required later when you configure WebSphere Application Serverfor SSL communication.
    Leave the keystore open and continue to import the certificates into the keystore.

    Importing the certificates into the keystore
    After you import the Vcert.p12 key entry into the keystore, you need to import the chaining certificates that you downloaded earlier. The chaining includes an intermediate and root certificate authority certificate:
    • Root CA Certificate: VeriSign Class 3 Public Primary CA.
    • Intermediate Certificate: Secure Site/Managed PKI for SSL Standard Intermediate CA Certificate.
    To import the chaining certificates:
    1. Select File > Import.
    2. Select Local resource and then Open a file.
    3. Enter the certificate file location and then the password. Click Next.
      Note: If there is no password prompt when you are loading the certificates, reset the password:
      1. Select Options > Change User Password.
      2. Type in the new passphrase in the required fields. Click Next.
      3. Select File > Save to save the keystore.
      4. Select File > Close to exit the KeyMan tool.
    4. Verify that the certificates were imported by selecting Trusted CA Certificates from the list. The VeriSign certificate will be listed. Click on the certificate to display the details.
    The certificates have now been imported into the keystore.

    Configuring WebSphere Application Server for SSL communication
    After the real certificate is stored in the keystore, additional configuration is required in WebSphere Application Server so that the Java™ Secure Socket Extension (JSSE) can present the intended certificate to the user, or Web browser, instead of choosing a certificate randomly in the keystore. The Java Secure Socket Extension (JSSE) are packages that allow for secure Internet communications.
    To perform the required configurations for WebSphere Application Server:
    1. Log on to the WebSphere Application Server administrative console at the following Web address:http://<fully_qualitifed_host_name>:port/admin. Use port 9060 or 9061.
    2. Select Security > SSL > <node_name>/AgentManagerSSL > Custom properties.
    3. Click New to create a new property.
    4. The name and value of the new property should have the following information:
      • Name: com.ibm.ssl.keyStoreServerAlias.
      • ValueVeriSign_key entry_alias. The VeriSign_key entry_alias was provided in the details of the VeriSign certificate after you imported the key entry to the keystore.
    5. Save the settings for the new WebSphere Application Server configuration for SSL communication.
    6. Restart Tivoli Provisioning Manager for the changes to take effect.
    Configuring device manager service properties
    When you use a new certificate, some configuration is required for the device manager service properties so that it recognizes the purchased VeriSign certificate.
    After Tivoli Provisioning Manager is installed, device manager service is configured to use the agentKeys.jks and agentTrust.jksSSL repertoires in %WAS_HOME%\properties\DMSSLConfig.properties:

    TPM_KEYSTORE_LOCATION=C:\\Program Files\\ibm\\tivoli\\tpm\\cert\\agentKeys.jk
TPM_KEYSTORE_PASSWORD=[xor] 0uHh8VTZu6WrlpvRMIrAzg==
TPM_TRUSTSTORE_LOCATION=C:\\Program Files\\ibm\\tivoli\\tpm\\cert\\agentTrusts.jks
TPM_TRUSTSTORE_PASSWORD=[xor] 0uHh8VTZu6WrlpvRMIrAzg==
    To configure device manager service to use the new certificate, update the keystore and truststore location to use theagentManagerKeys.jks and agentManagerTrust.jks SSL repertoires:

    TPM_KEYSTORE_LOCATION= C:\\Program Files\\ibm\\AgentManager\\certs\\agentManagerKeys.jks
TPM_KEYSTORE_PASSWORD=think4me
TPM_TRUSTSTORE_LOCATION= C:\\Program Files\\ibm\\AgentManager\\certs\\agentManagerTrust.jks
TPM_TRUSTSTORE_PASSWORD=think4me
    The properties are updated so that device manager service recognizes the new certificates.


    Source: http://publib.boulder.ibm.com/infocenter/tivihelp/v20r1/index.jsp?topic=%2Fcom.ibm.tivoli.tpm.sec.doc%2Fsecurity%2Ftsec_verisigncert.html
    

    

    

    

    

Posted by



at


















    


    

    

    

Labels:
,
,
,
,
,



    

    



    

    

    

    


    No comments:
    

    

    

    

    

    

    


    Post a Comment
    

    

    





    

    

    

    

        
    
      

    


    

    

    
Subscribe to:
Post Comments (Atom)